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A system for loading an 
applet and its associated use 
rights into a smart card having 
other applets with associated 
use rights with values that 
change as the application is 
used is provided that stores, 
remotely from said smart 
card, an applet and use rights 
with a predetermined initial 
value, associated with the 
applet, and has a smart card 
having a processing unit, and 
a memory unit, the memory 
unit being connected to the 
processing unit and storing 
a second application having 
use rights. The smart card 
may be connected to said 
remote storage means, and 
the application, having use 
rights with a predetermined 
value, may be loaded from 
said remote storage means 
into said smart card. A smart 
card is also provided having a 

processor for executing an application, a memory, connected to the processor, for storing multiple applications, including a first application 
having first use rights and having first values associated with the first use rights, the first value changing from a predetermined initial 
value with use of the first use rights, a system for loading in the smart card a second application from a remote location over an interface, 
the second application having second use rights, a system for storing said second application into said memory in said smart card, and a 
system for changing the use rights of said first application and said second application. A method of replenishing the use rights in a smart 
card is also provided. 
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A SYSTEM AND METHOD FOR LOADING APPLICATIONS OrvTO 

A SMART CARD 

5 

Background of the Invention 

This invention relates generally to secure portable tokens, such as smart 
cards and in particular to smart cards having reloadable applications. 

10 As is well known, a smart card may be a plastic, credit card-sized card 

containing a semiconductor chip, such as a microprocessor built into the smart 
card so that it may execute some simple application programs, which mav be 
referred to as applets. Some examples of the applications in a smart card include 
security and authentication, information storage and retrieval, and credit and 

15 debit operations for managing value accounts, such as prepaid phone time and 

debit accounts. Each value account application on the smart card has a particular 
type of use rights associated with the application. For example, a prepaid phone 
time application may have a predetermined number of prepaid phone minutes 
that are used up as phone calls are made with the card, and a prepaid public 

20 transit account may have an initial preset monetary values which is debited with 

each use of public transportation. To store and execute these applets, these smart 
cards have a built-in memory and processor. In order to ensure the security of 
the use rights on these smart cards, oniy the processor within the smart card may 
ordinarily alter the value of the use rights, and only after an authorization 

25 sequence has been successfully conducted. The network in which the smart card 
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is being used does not have any direct access to the memory of the smart card 
nor to the use rights of any application. 

There are generally two different types of smart cards, i.e.. disposable 
smart cards and permanent, non-disposable smart cards. A disposable smart 
card-may have a rudimentary semiconductor chip embedded within the smart 
card and may have a limited amount of memory and some hardwired logic. The 
disposable smart cards may have a predetermined initial amount of prepaid use 
rights or other value stored in the memory of the smart card established when 
the smart card is manufactured. The prepaid use rights are then depleted as the 
smart card is used. A prepaid phone card or a subway fare card are examples of 
disposable smart cards because these smart cards are thrown away after the 
prepaid use rights are depleted. These disposable smart cards are inexpensive 
because of the rudimentary semiconductor chip, but they have limited utility 
since their stored value cannot be replenished, and other applications cannot be 
installed on them. Due to the limited memory and processing power, these 
disposable smart cards also cannot execute sophisticated cryptographic 
algorithms, which means that these disposable smart cards are less secure. 

The non-disposable, permanent smart cards may have a more complex 
semiconductor chip embedded within the card, and may have a programmable 
micro-controller and an expanded memory. The memory may store one or more 
applets that have separate predetermined amounts of use rights for different 

- 2 - 
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functions. Importantly, these permanent smart cards have use rights that may be 
replenished so that the permanent smart card need not be discarded once the use 
rights are depleted. Examples of these permanent smart cards include banking 
cards according to the Europay/Mascercard/Visa standard, and pay television 
5 access control cards. These permanent smart cards have more memory for 

storarge of multiple applets and the use rights on the smart card may be 
separately and independently replenished. However, these permanent smart 
cards are also more expensive due to the additional memory and the micro- 
controller, and the replenishment can oniy be performed by the card issuer. 

10 

Initially, many companies issued disposable smart cards due to the lower 
initial investment. However, due to the security concerns of these disposable 
smart cards and the limited applications that may be run on these disposable 
cards, the current trend is to use permanent smart cards because several 
15 applications may be loaded onto a single permanent smart card. The permanent 

smart card is also more secure because more sophisticated cryptographic 
techniques may be used. 

Most conventional permanent smart cards may have a memory unit that 
20 may include a read only memory (ROM), a random access memory (RAM), and a 

non-volatile memory (NVM). The NVM may be, for example, a flash memory 
such as a flash electrically erasable programmable read only memory (Hash 
EEPROM), or a EEPROM. These permanent smart cards receive all of their 
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electrical power from t he term.na, t o which they are connected during use. As a 
consequence, the RAM, which is mMle mmo[y ^ ^ ^ ^ ^ ^ ^ 

pad memory for s.mpie computations that do nof need ,o be stored. The ROM. 
whtch is permanent, may store the operating system (OS) of the smart card and 
other programs which do no, need to be updated or changed, such as certain 
permanent appiets. The NVM may store certam appiets and the use rights 
secrets or values associated with all applications in the smart card. These 
conventional permanent smart cards mav have muldp.e appHcations that res.de 
in the memory of the smart card. 



Some convendonal permanent smart cards have fixed application programs 
that are stored in the ROM a, the dme that the smart card is manufactured. 
These smart cards do not permit any appiicadons to be stored in the NVM due to 
security concerns. The programs ,ha, are stored in the ROM canno, be altered. 
15 The appiicadons tor these ROM-based smart cards, however, take a great amount 

of dme to develop because the application mus, be developed and then be hard 
wred into the ROM. In addition, these fixed appiicadons ate no. changeable or 



removable. 



To solve the problems of a fixed application in the ROM, some current 
smart cards pernut appiicadons to be stored in the NVM. However, handling of 
applications and their associated use rights in the NVM of the smart card poses 
several problems. 
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First, there is a security problem since access to the application within the 
NVM may also permit access, by a clever individual, to the other applications 
within the NVM unless carefully controlled. In addition, a clever person may 
figure out a way to replenish his use rights illegally as they are also stored in the 
NVM. This is an especially large problem for banks that want to issue debit or 
electronic purse cards since a person could replenish the money available on the 
smart card without debiting his bank account. For a bank, it is desirable that no 
one , but the bank have access to the use rights within the smart card. This 
means that the use rights of any applet on a smart card may oniv be replenished 
by the card issuer, such as the bank, which may be inconvenient. In addition, any 
other company with applets on that smart card must have a relationship with the 
card issuer. 

Second, the replenishing of the use rights of an applet in the smart card 
may be slow because there must be a number of security procedures that must be 
followed when use rights are being changed. For example, there must be several 
authentication procedures to ensure that no illegal activities are occurring. 

Third, since each type of application may have a different type of use 
rights in various different units, such as phone minutes in time units versus cash 
in monetary units, each different application will probabiv require a different use 
rights reload procedure. For example, a use rights reload procedure for phone 



WO 98/09257 

PCT/IB97/0I042 



10 



15 



20 



minutes may not be able to replenish the cash of a debit account on a smart card. 
Thus, procedures that loads use rights into the smart card must be duplicated. 

To limit access to these use right values, conventional permanent smart 
cards have done several different things. First, some conventional permanent 
smart cards have controlled the access to certain areas of memory, known as 
memory zones, so that these memory zones are write-once areas. Other 
conventional permanent smart cards use a data dictionary, which keeps track of 
the memory areas in which each of the application must reside. Thus, some sort 
a memory management system must constantly verify that none of the 
applications are doing illegal activities. 



anv 



In summary, some conventional permanent smart cards do not allow 
applications to reside in the NVM to reduce security risks. Other conventional 
permanent smart cards have systems for replenishing the use rights of an 
application contained on a smart card, but limit this capability to the issuer of the 
smart card, and require separate loading procedures for each applet. None of 
these conventional smart card systems provide a system for loading an entire 
application of any type, including the use rights, into the memory of a permanent 
smart card. Accordingly, conventional smart cards cannot store disposable 
applications, such as a prepaid telephone time applet, because there is no method 
for removing the disposable application once it is depleted or replacing the 
disposable applet with a new applet. Thus, in conventional smart cards, these 
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depleted disposable applications would remain in the smart card taking up. 
valuable memory space. For this reason, most permanent smart cards today do 
not have any ability to handle disposable applications. 

5 Thus, there is a need for a svstem and method for universallv reloading 

different types of use rights in multiple application smart cards which avoid 
these and other problems of known devices, and it is to this end that the present 
invention is directed. 

10 Summary of the Invention 

The invention provides a smart card, as weli as a system and method for 
loading applications into the memory of a smart card which may load any type 
of application and its associated use rights, wherein the use rights mav have anv 
15 type of units. In addition, the system may load one or more disposable 

applications onto a permanent smart card since those disposable applications, 
once depleted, may be replaced with a new applet. 

The invention also provides an applet loading system for a smart card 
20 wherein the use rights associated with an applet may be replenished by 

reloading the applet and the use rights into the memory of the smart card. The 
system for loading applications into a smart card may be universal so that a 
single loading system may be used for a variety of applications. In accordance 
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with the .nvenbon, a system and method for reloading app.icahons „,thm a 
smart card is provided wherein the system may have a storage, remoteiv from 
sa,d smart card, tha, stores an appie, and use rights w„h a predeterm.ned .nrda, 
value, assocated w.th the appief. and has a smart card having a processing -unit, 
and a memory una,, the memory unat bring coruaecteo to the processing uru, and 
storing a second appl.cadon having use rights. The smart card may be connected 
to sa.d remote storage means, and the application, having use rights w«h a 
predetermrned value, mav be ioaded from sa.d remote storage means ,nto sa.d 
smart card. A smart card ,s also provided hav.ng a processor for executing an 
appiicadon, a memory, connected to the processor, for stonng multiple 
applications, including a firs, appiicadon hav.ng firs, use nghts and havmg firs, 
values assocated with the firs, use rights, the firs, value changing from a 
predetermrned intbal value with use of the firs, use rights, a system for loading 
in the smart card a second appiicadon from a remote locadon over an interface, 
the second appUcadon havmg second use rights, a system for storing sa.d second 
appl.cadon into satd memory ,n sard smart card, and a system for changmg the 
use nghts of said firs, appl.cation and sa.d second appiicadon. A method of 
replenishing die use .rights in a smart card is also prov.ded. 
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Brief Description of the Drawings 

Figure 1 is a block diagram or a smart card with which the invention mav 
be employed; 

Figure 2 is a block diagram depicting the creation of a program that may 
5 run on the smart card of Figure 1; 

- Figure 3 is a block diagram of the memory organization of the smart card 
of Figure 1; 

Figure 4 is a block diagram of a preferred system for reloading 
applications onto a smart card; 
10 Figure 5 is a block diagram of a first embodiment of a method in 

accordance with the invention of reloading an application into a smart card; 

Figure 6 is a block diagram of a second embodiment of a method in 
accordance with the invention of reloading an application into a smart card-; 
Figure 7 is a block diagram of a third embodiment of a method in 
15 accordance with the invention of reloading an application into a smart card; 

Figure S is a flowchart of a method of debiting use rights in a smart card; 

and 

Figure 9 is a flowchart of a method of replenishing the use rights of an 
application within a smart card in accordance with the invention. 



Detailed Description of a Preferred Embodiment 

The invention is particularly applicable to a system and method for 
reloading applications having use rights onto a permanent smart card so that the 
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use r.ghts of t he apphcation may be rep.en.shed when they have been deptaed 
It is in this context that the invention wili be descr.bed. It wi U be appreciated 
however; that the system and method in accordance with the invenhon has 
greater utility. 



- Figure 1 .s a block diagram of a smart card 20. also known as a token, of 
the type w.th whrch the invention may be empioyed The smart card mav be 
used in connection w.th the system and method of loading appbcabons into a 
smart card in accordance w.th the invention. The smart card may preferably be a 
permanent smart card, but mav also be a deposable smart card. Thas smart card 
20 may have a processor or CPU 22 and a memory 24. The memory may 
comprise a read only memory (ROM) 26. a random access memory (RAM) 28, 
and a non-volatile memory (NVM) 30, The NVM may be any type of whtab.e 
nonvolatile memory, such as an electncally erasable, programmable read onlv 
memory (EEPROM), a bartery backed RAM, or a flash memory, that can retain 
stored data when no electrical power ,s supplied ,o the memory. The ROM mav 
preferably store the operating system (OS) whrch controls the operation of the 
CPU of the smart card, and the RAM may be used as a temporary scratchpad 
memory. Because the smart card rece.ves ,1s electoral power from the terrrunal 
into which i, is inserted, as descxrbed below, all of the contents of the RAM will 
be lost when the smart card is removed from the terminal. The NVM may 
preferably be used to store one or more applications whrch may be referred to as 
applets due to the small size of the actual program code. Each of these applets 
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may have associated use rights which are specific to the applet. Other permanent 
applications that do not change, such as a credit/debit program, may be stored in 
the ROM. 

The processor 22 controls the operation of the smart card. The processor 
may "be connected to all of the memories within the memory system 24. Since 
there are use rights associated with an application, there is a need to make the 
smart card secure to prevent theft or alteration of the use rights. To accomplish 
this security, the processor is the only system that is capable of accessing any of 
the memories. There is no direct access to any of the memories from outside of 
the smart card. In addition, any outside access to the memories of the smart card 
must be conducted through an input/cutput (I/O) line 32 that is connected to the 
processor 22. The smart card may also have more than one I/O line provided, 
that access to each I/O line is carefully controlled so that there is no direct access 
to any of the memories from outside of the smart card. Thus, the processor may 
authendcate and validate incoming requests prior to making any change in the 
use rights of an application stored in the smart card, and may prevent unwanted 
or illegal attempts to decrease the use rights of an application. This 
authentication and validation may be conducted using cryptographic systems, 
such as public key encryption, or any other security system. Now, a preferred 
system for generating applets for a smart card will be briefly described. 
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Figure 2 is a block diagram showing the architecture of the smart card and 
the manner in which an applet 1S generated for the smart card. To provide 
sufficient security for the smart card, a preferred embodiment of a smart card 
may have a virtual machine 40 contained within the smart card. The virtual 
machine is comprised of a software interpreter 42 running on the hardware 
processor 22. The interpreter is a piece of software that acts as an interface 
between the hardware processor and the applets. In this manner, the a PP lets run. 
through the interpreter so that the applets do not have any direct access to the 
hardware of the smart card. Thus, the interpreter mav verify that none of the 
applets are performing illegal operations. Instead of a complete interpreter and 
virtual machine, the smart card may have a command dispatcher to control the 
access of the applets to various portions of the smart card. The dispatcher mav 
control access of the applets to the hardware by preventing the applets from 
receiving any access until an authentication check has been completed. A 
command dispatcher may be considered to be a reduced version of a general 
interpreter, and the command dispatcher interprets commands received from the 
applications instead of interpreting the entirety of the code of the applications. 

To execute an applet on an interpreter, as shown, source code 46 of an 
applet is compiled into a byte code 48. The byte code may then be executed by 
any interpreter on any smart card. The details of the architecture of the preferred 
smart card are set forth in more detail in PCT Application No. PCT/NL95/00055, 
published as International Publication No. WO 95/22126, which is incorporated 
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herein by reference. The organization of programs within the memory of the 
smart card will now be described. 

Figure 3 is a block diagram of the memory organization of the smart card 
5 20 that may include a system for loading applets into the smart card in 

accordance with the invention. The memory 24 of the smart card, which may 
include the ROM and NVM, may be logically organized into an OS layer 50, an 
executive layer 52, and an application layer 54. The OS layer may contain the 
most basic operating software, such as a cryptographic library 56, and an 
10 interpreter 5S. Tnese programs are permanent and may be stored in the ROM. 

The cryptographic iibrary may be used for authenticating access to the smart 
card, as described above. The interpreter 58, as described above, may be used to 
prevent an applet from directly accessing the hardware of the smart card. 

15 The executive layer 52 may contain, for example, an application launcher 

60, a conditional application loader 62 in accordance with the invention, and 
other OS sub-systems 64. The application launcher receives a request to access an 
application, and after appropriate authentication, launches and controls the 
applet. The conditional application loader 62 controls the loading of an 

20 application, or applet, into the N"VM of the smart card. The application loader 

may verify that the remote system desiring to load an applet into the smart card 
has the appropriate authority, and then may perform the necessary operations, as 
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described in more detail below, to load the applet into the NVM of the smart 



card. 



The application layer 54 may contain a permanent application 66 and one 
or more disposabie applications 68 having associated use nghts. The permanent 
application may be stored in the ROM since it is permanent and may be a 
credit/debit system that performs all of credit and debit transactions for all of the 
disposable applications having use rights within the smart card. The credit/debit 
system may operate with any type of use rights so that only a single credit/deb. 
application Ls needed for each smart card. In thus manner, the use rights of anv 
applet within the smart card may be changed by the permanent credit/debit 
application 66. In a preferred embodiment of the invention, the loader 62 and 
the credit/debit application 66 may be a Single program Since both programs 
operate on all of the applets having use rights. For example, an applet with use 
nghts needs the credit/debit application to authorize the reload if the applet 
when the use rights have been depleted, as described below. 

The disposable application 68 may be any type of application or applet 
with a lirruted lifetime, as defined by a certain number of use nghts, such as a 
predetermined number of telephone call minutes, a predetermined amount of 
money, or a predetermined number of store credits. As described below in more 
detail, conventional smart cards that replenished the use rights of a particular 
application require a separate use nghts loading system for each different 
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application because the use rights of each application may require different 
handling and security. For example, replenishing a certain number of store 
frequent buyer points onto a smart card may be different than replenishing the 
cash value of a debit applet, such as a point-of-sale applet, in the smart card. In 
addition, in order to replenish the use rights of any applet, the smart card 
needed to be physically connected with or returned to the card issuer since only 
the card issuer had the authority the alter the use rights for an applet. Therefore, 
every company who may have an applet on the smart card, must have a 
relationship with the card issuer so chat the card issuer can replenish the use 
rights of that applet. 

Significantly, however, the smart card in accordance with the invention 
may have a universal applet loader that may delete and then reload an entire 
applet instead of establishing a connection between the smart card and the applet 
issuer who then just reloads the use rights. Reloading the entire applet into the 
smart card means that the loader does not have to be specialized to handle the 
multiplicity of different types of use rights which could be present in the smart 
card since the entire applet, including the use rights, is being reloaded into the 
smart card. The loading of an applet into a smart card to permit the 
replenishment of the use rights of an applet will be described in more detail 



beiow. 
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The universal loader 62 ,n accordance with *. invention ^ be 



smart card has available 



10 load new applets into a smart card, provided that the 
memory. In addrhon, the unsversa, loader may also oermtt an appiet w, t h 
depieted use rights to be deleted from the memory of the smart card and 
replaced with a new different appitcahon havtng refreshed use rights. Each of 
these operabons will be descrtbed m more detail below. A preferred svstem. 
exierna, to the smart card, for ,oad,n g applets having use rights. ,n»o the smart 
card will now be described. 



Ftgure 4 is a block d.agram show.ng a system ,n accordance w„h the 
invention for load.ng an applet havtng use rights into a smart card. The svstem 
may tnclude the smart card 20, a termana, 80, and a server 82. The smart card 20 
is descrtbed above with reference to Figures 1-3. The termtnal may be operated 
by the smart card .ssuer, or by some other enhty. such as a bank. The termtnal 
may be a bank ATM teller, a ternatnat in a bank or a home computer svstem. 
The server may be ma.ntamed by a bank or the tssuer of the smart card, and 
may contatn downloadable applets. The connection between the terminal and the 
server may be any conventional network, such as the usual correction between 
ATM machines across the world. 

As described above, the smart card may have the processor 22, the OS 
layer 50 and the executive layer 52 stored in the ROM 26, and the applications 
layer 54 stored in the NVM 30. In addition, the smart card may have an interface 
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system 86 that may connect the smart card to the terminal 80 using a 
corresponding interface S8. A second interface 90 may connect the terminal to 
the server 82 via an interface 92. Thus, the smart card may be connected, 
through the terminal, to the server. A preferred method of loading an 
application into the smart card will now be described. 



When the smart card is connected to the terminal, the processor 22, using 
the loader 62. verifies the authenticity of the terminal and of the server. The 
terminal and the server may also verify the authenticity of the smart card. For 
example, when the smart card is connected to the rerminai, the user mav enter a 
personal identification number (PEN) that may be verified by the server. As 
another example, the server may send a coded word that must be correctly 
answered by the smart card. If the server and the smart card authenticate each 
other, then the universal loader 62 within the smart card begins the loading 
process. The applets stored on the server, regardless of the type of use rights, 
may all have a common structure so that the universal loader does not have to 
distinguish between different types of applets except to identify which one(s) to 
load. As shown, the NVM 30 may currently store the permanent credit/debit 
application 66, and an existing first applet 94 with use rights. After the loading 
operation, as described below, the NVM memory may also have a second new 
applet 96 with use rights. In the smart card shown, the use rights of the first 
applet 94 have been depleted. Therefore, a new copy of the applet 98 with 
refreshed use rights, located on the server 82, may be loaded into the NVM of the 
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!ml " Card - ThS applet 98 -» "ghts repiaces t he original app.e, 

94 with depleted use rights. 



In addition to the replenishment of use rights, a new 100 applet having use 
rights may be loaded into the smart card 20 from the server 82 in a similar 0 
manner. Therefore, after the load process is complete, the smart card may have a 
first applet with replenished use rights, and the new second applet 96 with 
predetermined use rights. As an example, a smart card that has a telephone call 
applet with depleted use rights may have a new telephone call applet with 
refreshed use rights as well as a debit applet with a predetermined value, e.g., 
S100, loaded onto the smart card. The connections between the terminal 80 and 
the server 82 may be conventional network system that may be used for home 
banking and the like. Several examples of loading applets into a smart card, in 
accordance with the invention, will now be described. 



As described above, conventional smart cards replenish the use rights of 
an applet by reloading new use rights into an applet on the smart card. The 
problems with reloading the use rights of an applet into a smart card have been 
described above. Now, several examples of the operation of the applet loading 
system in accordance with the invention will be described. 

Figure 5 is a block diagram of the loading system in accordance with the 
invention being used to replenish the use rights of an applet within a smart card. 
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As shown, the smart card 20 may have, for example, a first applet 102, a second 
applet 104, and a third applet 106. In this example, the first and third applets 
have use rights remaining, whereas the second applet needs to have its use rights 
replenished. In accordance with the invention, a new second applet 10S with 
replenished use rights is loaded into the smart card 20 and replaces the old 
second applet 104. Thus, after the loading process., the smart card mav have a 
first applet 102, a third applet 106, and a new second applet 108 with replenished 
use rights. As shown, only the second applet is affected by the loading process. 
As described above, since the entire applet is loaded back inco the smart card, the 
type of the use right of the applet is irrelevant, and the loading svstem mav 
reload any type of applet within the smart card regardless of the type of use 
rights that the applet may have. 



Figure 6 is a block diagram of the loading system in accordance with the 
15 invention being used to load a disposable application onto an existing smart card. 

As shown, the smart card 20 may have a first applet 102. In addition, at a 
remote system 112, a disposable applet 114 may be stored. The disposable applet 
may be loaded into the smart card 20 so that the smart card may contain the first 
applet 102 and the new disposable applet 114. The disposable applets may be 
20 easily loaded into the smart card. In addition, once the use rights of the 

disposable applet are exhausted, the disposable applet may be replaced, using 
the loading method in accordance with the invention, with a new applet having 
new use rights. 
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For example, a use, ,av taKe a trip to a fore.gn countiv and des.re 
local currency ,o be placed cn me smart card so t ha t he does no, hav 

currency apple, since he will no, have any further need tor It Thus, the 
invention enables the foreign currency apple, to be replaced by, for example, a 
prepaid telephone call applet. 

Figure 7 is a block diagram o, fhe loadtng svstem ,„ accordance w.fh ,he 
mvention bemg used ,o repienush the use nghts of an a FP ,e, ,„ . smart card fa 
mas example, ,he smar, card 20 has a single apple, „ 6 mth use nghts ^ 
some time, the use r,gh,s of ,he apple, have been depleted. ,n accordance w„h 
fhe mvention. the apple, 116 mav be replaced bv a new acp.e, 120 mat has me 
same functions as the old apple:, bu, has replerushed use rights. 

The invention, as shown. is no, Unuted ,o any particular number of applets 
and may by used to replerush the use nghts of as few as a s.ngle a PP ,e, or to 
replenush the use nghts multiple ap pl e,s. The mvennon mav also be used ,o load 
and replace a s.ngle deposable apple, on,o a smar, card. A method of deb.ting 
use rights in a smart card will now be described. 



ts in a smart 



Figure 8 is flowchart of a method 200 of deb, ting use rights 
card. Firs, in sfep 202. an apple, within the smar, card may be selected. For 
example, when a smart card is placed into a telephone ,ermanai, men the apple, 
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with the telephone use rights may be selected by the terminal. In order ro select 
the applet, the smart card may verify that the terminal has the proper authority 
to access that particular applet. Then, at step 204, the smart card receives an 
application selection command from the terminal, for example. If the application 
selected is not initialized or present in the smart card, the method ends in step 
206. - If a valid application is selected, then in step 20S, after a debit use rights 
command is issued, the smart card receives a debit use rights command at step 
20S. If the use rights have been exhausted already, then in step 210, the debit 
fails, and in step 212, the use rights of the applet may be replenished, as 
described below. Lf a valid debit command is received, then in step 214, the 
decreased use rights of the applet are calculated and stored in the memory of the 
smart card. Then, if there are additional debits for the applet, the method loops 
to step 208, otherwise. the method ends at step 216. The method of replenishing 
the use rights for an applet on the smart card in accordance with the invention 
will now be described. 

Figure 9 is a flowchart of the step 212 of Figure 8, for replenishing the use 
rights of the applet in accordance with the invention. The applet may be selected 
because it has expended its use rights or because the user selects a particular 
applet. As described above, the universal loader can load any type of applet 
with any type of use rights from the server to the memory of the smart card. In 
addition, since the loader can load any type of applet, it is not necessarv to get 
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-he use rights c f the app.e, reloaded by [he [ssuer Thus ^ 
loader permits a greater amount of flexibility. 



Ooce any of the app.e, w.th the assooated use rights has been selected a, 
step 230, the smart card verifies the authenhcrfv of the prov.der. such as the 
serve., of the appfet. ,f the authenhcabon fads, then the method ends at step ,3, 
if -he authenhcabon is successful, then in step 234. the prov.der, w..h the help of 
the loader, loads the applet into the NVM of the smart card. 



Tvp.cally, authenhcadon of the app.et code may oe achaeved bv the smart 
card through me ver.hcahon of a digital s.gnature, a cryptograph, check s„ or 
a predetermined hash value, in step Z36, the smart card ver.f.es the authenticity 
of the program code of the app,et ,0 defect viruses, and the like. In step 238. i, 

the authentication of the applet codp f^iU m_ tU 

ppie. code fails, then the applet code is delered from 

the memory of the smart card. 



The nex, step is an ophona! step tha, ,s not reoutred in order to ioaa 



an 



applicadon info a smart card in accordance with the invention. Thas step requnes 
a smart card vnth a larger amount of memory. In this ophona, step 240. the 
smarr card may perform stadc type checkmg and a syntax check of the code of 
«he apple,. If thas check fads, then ,n s tep 242, the app.e, code „ dekted frQm 
-be memory of the smar, card, m the last step 244. the smart card Wo a,,aes the 
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code of the applet so that the use rights of the applet mav be debited, as 
described above with reference to Figure S. 



While the foregoing has been with reference to a particular embodiment of 
the invention, it will be appreciated by those skiiied in the art that chancres in 
this embodiment may be made without departing from the principles and spirit 
of the invention, the scope of which is defined by the appended claims. 
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Claims: 



■ 1. A system for loading an application and its associated use nghts 
into a smart card hav.ng other applications, some of the other applicadorjwith 
associated use nghts that have values that change as the appUcadon is used, the 
system comprising: 

mean, for storing, remotely from said smart card, an application and use 
nghts with a predetermined initial value, associated with the application: 

said smart card having a processing unit, and a memorv unit, the memorv 
urut being connected to the processing unit and storing a second application 
9 having use rights; 

means for connecting said smart card to said remote storage means; and 
means for loading said application, having use rights With a 
predetermined value, from said remote storage means into said smart card. 

2. The system of Claim 1, wherein the use rights have a refreshed state 
and a depleted state, the use rights of the second application being depleted and 
the use rights of the application being refreshed, and further comprising means 
for replacing said second application stored in the memory with said application 
at the remote storage means so that the use rights of the application m the 
memory are replenished. 
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1 3. The system of Claim 2., wherein the connecting means further 

2 comnnses means for verifying the authority of the remote storage means to load 
5 an abdication into the memory of the smart card. 

1 4. Smart card apparatus for loading an application having use rights 

2 with" values which meter use of the application, the smart card comprising: 
5 a processor for executing an application; 

4 a memory, connected to the processor, for storing multiple applications. 

5 including a first application having first use rights and having first values 

6 associated with the first use rights, the first value changing from a predetermined 

7 initial value with use of the first use rights; 

S an interface enabling the processor of said smart card to communicate with 

9 a remote location; 

10 means for receiving in the smart card a second application from said 

11 remote location over said interface, the second application having second use 

12 rights; and 

13 means for storing said second application into said memory in said smart 

14 card. 

1 5. The smart card apparatus of Claim 4 further comprising means for 

2 replacing said first application stored in the memory with said second application 

3 from said remote location so that the use rights of the application in the memory 

4 are replenished. 
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6. The smart card apparatus of Clarm 5. wherein the receivmg means 
further compnses means for verifymg the authority of the remote ,ocat ; on to load 
an applicahon into the memory of the smart card. 

7. A method of repierushung use rights in an application stored in a 
smar, card, the use rights having a refreshed state and a de ple ,ed state and betng 
depleted with use of the apphcadon. the smart card having a processor and a 
memory for stormg the application, the method comorisin- 

connecting a smart card having a first application with use rights in a 
depleted state to a communications system, the communications svstem being 
connected to a svstem remotely located from said smart card, the system stormg 
a second application having equivalent use rights to the first use rights, the 
equivalent use rights having a refreshed state; 

verifying in the card that said remote storage svstem has the authority to 
replace the first application in the smart card; and 

replacing the first application in said memory with said second application 
having refreshed use rights so that the use rights of the application located 
within the memory of the smart card are replenished. 

8. The method of Claim 7, wherein replacing further comprises 
deleting said first application from said memory of said smart card, and loading 
said second application having refreshed use rights from said remote storage 
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4 location into said memory of said smart card so chat the use rights of the 

5 application located within the memory of the smart card are replenished. 

1 9. A method of loading an application into a smart card, the 

2 application having use rights with a refreshed stare and a depleted state and 

3 being depleted with use of the application, the smart card having a processor and 

4 a memory for storing the application, the method comprising: 

5 connecting a smart card having a first application with use rights to a 

6 communications system, the communications system being connected to a svstem 

7 remotely located from said smart card, the system storing a second apolicarion 
S having use rights; 

9 verifying in the smart card that said remote storage system has the 

10 authority to load the second application into the smart card; and 

11 loading said second application having refreshed use rights into the 

12 memory of the smart card so that the second application may be used. 

13 10. The method of Claim 11, wherein the first application has depleted 

14 use rights, the second application having refreshed equivalent use rights to the 

15 first application, and wherein the loading comprises replacing the first 

16 application in said memory with said second application having refreshed use 

17 rights so that the use rights of the application located within the memory of the 

18 smart card are replenished. 
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H. Smart card apparatus for loadtng an apphcation hav.ng use rights 
with values which meter use of the appl.cation, the smart card comprising: 
a processor for executing an appiication; 
a memory, connected to the processor, for storing multiple apphcation., 
5 including a first appi.cafion having first use rights and having firs, values 

associated with the first use righfs. the firs, vaiue changtng from a predeternuned 
initial value with use of the first use rights; 

means for loading in the smar, card a second application from a remote 
location over an interface, the second application having second use rights; 

means for storing said second apphcation into said memory ,n said smar, 
11 card; and 



means for changing the use nghts of said first application and said second 
13 application. 



1 12. The smart card apparatus of Claim 1 1, where said second 



use 



application has equivalent use nghts to the first use rights, the equivalent 
nghts having a refreshed state, and wherein storing means further comprises 
means for replacing the first application in said memory with said second 
application having refreshed use rights so that the use rights of the application 
located within the memory of the smart card are replenished. 
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